Bug#771896: marked as done (apt-transport-https must depend on ca-certificates)

To: David Kalnischkies <david@kalnischkies.de>
Subject: Bug#771896: marked as done (apt-transport-https must depend on ca-certificates)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 03 Dec 2014 21:09:19 +0000
Message-id: <[🔎] handler.771896.D771896.141764072432277.ackdone@bugs.debian.org>
References: <20141203210518.GB1597@crossbow> <[🔎] 547EE1D1.5010506@debian.org>

Your message dated Wed, 3 Dec 2014 22:05:18 +0100
with message-id <20141203210518.GB1597@crossbow>
and subject line Re: Bug#771896: apt-transport-https must depend on ca-certificates
has caused the Debian Bug report #771896,
regarding apt-transport-https must depend on ca-certificates
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
771896: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771896
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt-transport-https must depend on ca-certificates
From: Pirate Praveen <praveen@debian.org>
Date: Wed, 03 Dec 2014 15:41:29 +0530
Message-id: <[🔎] 547EE1D1.5010506@debian.org>

package: apt-transport-https
version: 1.0.9.3
severity: grave
justification: installing apt-transport-https should be enough to access
https repos

One a fresh chroot, apt-get update failed on a https repo even when
apt-transport-https was installed. It was working after ca-certificates
package was installed.

root@savannah:/# echo deb
https://people.debian.org/~praveen/diaspora-unreleased unstable main
>>/etc/apt/sources.list
root@savannah:/# apt-get update
Ign https://people.debian.org unstable InRelease
Ign https://people.debian.org unstable Release.gpg
Ign https://people.debian.org unstable Release
Get:1 http://ftp.de.debian.org jessie InRelease [191 kB]
Err https://people.debian.org unstable/main amd64 Packages

Ign https://people.debian.org unstable/main Translation-en
Get:2 http://ftp.de.debian.org jessie/main amd64 Packages/DiffIndex
[7876 B]
Get:3 http://ftp.de.debian.org jessie/main Translation-en/DiffIndex
[7876 B]
Get:4 http://ftp.de.debian.org jessie/main amd64
2014-12-03-0244.11.pdiff [14.4 kB]
Get:5 http://ftp.de.debian.org jessie/main amd64
2014-12-03-0244.11.pdiff [14.4 kB]
Fetched 221 kB in 20s (10.6 kB/s)

W: Failed to fetch
https://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages


E: Some index files failed to download. They have been ignored, or old
ones used instead.
root@savannah:/# apt-get update
Ign https://people.debian.org unstable InRelease
Hit http://ftp.de.debian.org jessie InRelease
Ign https://people.debian.org unstable Release.gpg
Get:1 http://ftp.de.debian.org jessie/main amd64 Packages/DiffIndex [7876 B]
Ign https://people.debian.org unstable Release
Get:2 http://ftp.de.debian.org jessie/main Translation-en/DiffIndex [7876 B]
Err https://people.debian.org unstable/main amd64 Packages

Ign https://people.debian.org unstable/main Translation-en
Fetched 15.8 kB in 6s (2588 B/s)

W: Failed to fetch
https://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages


E: Some index files failed to download. They have been ignored, or old
ones used instead.
root@savannah:/#

At the minimum error message should say the signature could not be
verified like wget

wget
http://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages
converted
'http://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages'
(ANSI_X3.4-1968) ->
'http://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages'
(UTF-8)
--2014-12-03 09:52:26--
http://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages
Resolving people.debian.org (people.debian.org)... 5.153.231.30,
2001:41c8:1000:21::21:30
Connecting to people.debian.org (people.debian.org)|5.153.231.30|:80...
connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location:
https://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages
[following]
converted
'https://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages'
(ANSI_X3.4-1968) ->
'https://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages'
(UTF-8)
--2014-12-03 09:52:27--
https://people.debian.org/~praveen/diaspora-unreleased/dists/unstable/main/binary-amd64/Packages
Connecting to people.debian.org (people.debian.org)|5.153.231.30|:443...
connected.
ERROR: The certificate of 'people.debian.org' is not trusted.
ERROR: The certificate of 'people.debian.org' hasn't got a known issuer.

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

To: Pirate Praveen <praveen@debian.org>, 771896-done@bugs.debian.org
Subject: Re: Bug#771896: apt-transport-https must depend on ca-certificates
From: David Kalnischkies <david@kalnischkies.de>
Date: Wed, 3 Dec 2014 22:05:18 +0100
Message-id: <20141203210518.GB1597@crossbow>
In-reply-to: <[🔎] 547EE1D1.5010506@debian.org>
References: <[🔎] 547EE1D1.5010506@debian.org>

Hi,

On Wed, Dec 03, 2014 at 03:41:29PM +0530, Pirate Praveen wrote:
> package: apt-transport-https
> version: 1.0.9.3
> severity: grave
> justification: installing apt-transport-https should be enough to access
> https repos
> 
> One a fresh chroot, apt-get update failed on a https repo even when
> apt-transport-https was installed. It was working after ca-certificates
> package was installed.

You are assuming that each and everyone is using -https with
a certificate anchored by the big CA guys contained in the
ca-certificate package.
That isn't required though. There is no problem in using a self-signed
certificate or to pin to a specific CA for example.

In other words: It is at most a Recommends and not Depends.

And while it might not hurt[0] to add it to -https, we depend on
libcurl3-gnutls, which itself recommends ca-certificates, so you already
get it if you haven't choosen to be unusual (= disabled recommends).

In other words: No need to fix that for jessie - as the release team has
already ruled with the severity downgrade.

[0] Now, one last bit: fix the bug after jessie or not?
Well, -https doesn't use ca-certificates directly. It uses curl which
uses it, but we don't explicitly request it: It is just their default
and I would argue that it is more their task to "work out of the box"
than it is ours to make that happen – and they do, so if we do it as
well we achieve nothing, but risk that this becomes obsolete (or worse)
if they change their default to something else.

So, all things combined: Closing as not a bug.

Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature

--- End Message ---

Reply to:

References:
- Bug#771896: apt-transport-https must depend on ca-certificates
  - From: Pirate Praveen <praveen@debian.org>

Prev by Date: apt_1.0.9.4_amd64.changes ACCEPTED into unstable
Next by Date: Bug#770898: apt: dpkg -l shows a package but when I apt-get purge it, dpkg claims it is not installed
Previous by thread: Bug#771896: apt-transport-https must depend on ca-certificates
Next by thread: Bug#771896: apt-transport-https must depend on ca-certificates
Index(es):
- Date
- Thread